Update 1: July’s Patch Tuesday: A rich harvest

Version 2 [Update 1] published 18:25 UTC, 14 July 2023, adding information on CVE-2023-36884 and updating totals throughout.

Initially posted at 18:38 UTC on 11 July 2023]

Microsoft on Tuesday released patches for 130 vulnerabilities, including eight critical-severity issues in Windows and two in SharePoint. As usual, the largest number of addressed vulnerabilities affect Windows with 105 CVEs, including two that also affect Azure and one (CVE-2023-36884) that also affects Office. Office takes 10 patches, including three that it shares with Outlook, one that it shares with Windows as noted above, and one that it shares with Access. SharePoint takes five. Azure takes four, though two of those are shared with Windows as noted above. Microsoft Dynamics takes two. Visual Studio and .NET share a patch and each takes another one of their own.

Microsoft is also publishing three advisories that bear a closer look. ADV230001, “Guidance on Microsoft Signed Drivers Being Used Maliciously,” addresses an issue under sustained active exploit for multiple products. For an in-depth look at the situation, including Sophos X-Ops’ role in its discovery, please see the accompanying article; Microsoft has also published a Knowledge Base article on the matter. ADV230002, “Microsoft Guidance for Addressing Security Feature Bypass in Trend Micro EFI Modules,” is also included this month, as is ADV990001, covering the latest Servicing Stack updates.

In addition to the issue detailed in ADV230001, Microsoft flags five patched CVEs, all Important-severity, as being under active exploitation in the wild. Two of those (CVE-2023-32049, CVE-2023-35311) are security bypass issues. In the former, an attacker wielding CVE-2023-32049 could send to a target a specially crafted URL that, if clicked, could bypass the usual Open File – Security Warning prompt; likewise, in the latter, a specially crafted URL could lead to bypass of the Outlook security-notice prompt. CVE-2023-36884 is also under active exploitation as part of what is currently called the “Storm-0978 attack” against the US government. (More on CVE-2023-36884, including Sophos protections, below.) The other two issues under active exploitation are elevation-of-privilege issues touching MSHTML and the Windows Error Reporting Service.

In addition, Microsoft cautions that three of the Windows issues and two of the SharePoint issues addressed are more likely to be exploited in either the latest or earlier versions of the affected product soon (that is, within the next 30 days).

Beyond this update, Microsoft also offered information on three Adobe CVEs (CVE-2023-29298, CVE-2023-29300, CVE-2023-29301) being patched today in Bulletin APSB23-40. All three touch ColdFusion and affect CF2018 update 16, CF2021 update 6, CF2023 GA Release (2023.0.0) and earlier, and Adobe states that all three are less likely to be exploited in the next 30 days. None of the three are previously publicly disclosed.

We are including at the end of this post three appendices listing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product family.

By the numbers

• Total Microsoft CVEs: 130
• Total advisories shipping in update: 3
• Publicly disclosed: 0
• Exploited: 6 (including ADV230001)
• Severity
  • Critical: 9
  • Important: 121
• Impact
  • Elevation of Privilege: 35
  • Remote Code Execution: 36
  • Denial of Service: 22
  • Information Disclosure: 19
  • Security Feature Bypass: 12
  • Spoofing: 6

Figure 1: An equal number of RCE and EoP issues this month are joined by a bumper crop of Security Feature Bypasses – one Critical-class

Products

• Windows (includes 2 shared with Azure and one shared with Office): 105
• Office (includes one shared with Access, one shared with Windows, and 3 shared with Outlook): 10
• SharePoint: 5
• Azure: 3
• Outlook: 3
• .NET (includes one shared with Visual Studio): 2
• Dynamics 365: 2
• Visual Studio (includes one shared with .NET): 2
• Access (shared with Office): 1
• common_utils.py: 1
• Defender: 1
• Mono: 1
• VP9 Video Extensions: 1

Figure 2: A large number of product families make an appearance in July’s Patch Tuesday set, but Windows continues to rule the roost. (For patches shared by multiple families, the numbers above reflect an instance for each family affected – for example, Visual Studio and .NET each have one patch of their own and share one patch, so in this chart each shows as having two patches)

Notable July updates

ADV230001 – Guidance on Microsoft Signed Drivers Being Used Maliciously

The discovery that drivers certified by Microsoft’s own Window Hardware Developer Program (MWHDP) were being used maliciously in post-exploitation activity will, according to the text of the advisory itself, lead to “long-term solutions to address these deceptive practices and prevent future customer impacts” at Microsoft. In the meantime, please see “Microsoft Revokes Malicious Drivers in Patch Tuesday Culling” for detailed information on what we found.

CVE-2023-36884 — Office and Windows HTML Remote Code Execution Vulnerability

This vulnerability is an RCE affecting both Windows and Office. To successfully exploit it, an attacker would craft a malicious Office document and convince the victim to open it. The problem resides in an undocumented registry key related to MSHTML (the Internet Explorer engine hosted by various Microsoft applications), which is why it touches both Windows and Office. This is the vulnerability currently known to be connected to the Storm-0978 attacks against the US government; Microsoft assigns this one their second-highest severity label of Important and has offered some degree of specific guidance, as well as observations concerning the attack itself.

Based on our analysis of the information available, Sophos customers already have multiple layers of protection against the techniques used in the reported attack and its components, as outlined below:

• Weaponized document in phishing email: A Sophos detection available since 2018 protects against this
• Iframe, CHM components and Impacket attack tool: Other Sophos antimalware detections protect against these
• Post-exploitation activity, including credential theft and lateral movement: Multiple Sophos behavioral runtime detections protect against these
• Ransomware payload reported in the RomCom attack: CryptoGuard protects against this

Finally, some public reports indicate that MSDT.EXE is part of the attack chain. While we have not validated it is part of the attack chain, MSDT.EXE is blocked by HitMan Pro lockdown, a countermeasure we introduced in response to the Follina attacks of May 2022.

CVE-2023-35352 — Windows Remote Desktop Security Feature Bypass Vulnerability

This server-side issue is the month’s sole non-RCE Critical-class patch, and Microsoft assesses that it is more likely to be exploited in the next 30 days. An attacker who successfully exploited CVE-2023-35352 could bypass certificate or private key authentication when establishing a remote desktop protocol session.

CVE-2023-35308 – Windows MSHTML Platform Security Feature Bypass Vulnerability
CVE-2023-35336 — Windows MSHTML Platform Security Feature Bypass Vulnerability

So here’s something you probably weren’t expecting today: Internet Explorer patches. We discuss CVE-2023-36884 above, which like these is a problem with MSHTML. Though IE and even Edge Legacy are deprecated, the MSHTML, EdgeHTML, and scripting programs that lay beneath them are still very much present in Windows. Microsoft therefore states that all versions of Windows except Server 2008, Server 2008 R2, and Server 2012 are affected, and that customers who install Security Only updates should install the IE Cumulative updates to address this one. These aren’t the only MSHTML vulnerabilities this month, nor the most concerning – CVE-2023-32046, an Important-class Elevation of Privilege issue, is under active exploitation in the wild – but it’s definitely odd to see the ghost of the much-maligned Internet Explorer still haunting Patch Tuesday in 2023.

CVE-2023-35333 – MediaWiki PandocUpload Extension Remote Code Execution Vulnerability
CVE-2023-35373 – Mono Authenticode Validation Spoofing Vulnerability

These two items come from product families a little less familiar to regular followers of Patch Tuesday. MediaWiki extensions are developed by Microsoft for internal use, but are accessible to the public via Microsoft’s GitHub; Mono is the venerable open-source .NET-compatible software framework. Both vulnerabilities are judged by Microsoft as less likely to be exploited in the next 30 days, neither is believed to be under exploit in the wild, and both were cooperatively disclosed to Microsoft.

Figure 3: As the year goes on, remote code execution flaws continue to lead the Patch Tuesday pack

Sophos protections

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of July’s patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Remote Code Execution (36 CVEs)

Elevation of Privilege (35 CVEs)

Denial of Service (22 CVEs)

Information Disclosure (19 CVEs)

Security Feature Bypass (12 CVEs)

Spoofing (6 CVEs)

Appendix B: Exploitability

This is a list of the July CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release, as well as those already known to be under exploit. Each list is further arranged by CVE.

Appendix C: Products Affected

This is a list of July’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE.

Windows (102 CVEs)

Office (10 CVEs)

SharePoint (5 CVEs)

Azure (3 CVEs)

Outlook (3 CVEs)

.Net (2 CVEs)

Dynamics 365 (2 CVEs)

Visual Studio (2 CVEs)

Access (1 CVE)

common_utils.py (1 CVE)

Defender (1 CVE)

Mono (1 CVE)

VP9 Video Extensions (1 CVE)